This service is under active development. Features may change without notice.
← Back to Docs

CLI Reference

Complete reference for the sirr command-line interface. Every command, flag, and environment variable.

Installation

# macOS
brew install sirrlock/tap/sirr

# Windows
scoop bucket add sirrlock https://github.com/sirrlock/scoop-bucket
scoop install sirr

# Or download from GitHub Releases
# https://github.com/sirrlock/sirr/releases

Environment Variables

VariableDefaultDescription
SIRR_SERVERsirr://localhost:39999Server URL (sirr:// → http, sirrs:// → https)
SIRR_API_KEYAPI key for write operations (must match server)

push

Store a secret with optional TTL and read limit.

sirr push KEY=VALUE [--ttl <duration>] [--reads <n>] [--no-delete]
sirr push .env [--ttl <duration>]          # push entire .env file
  • --ttl — Time to live. Format: 30s, 5m, 2h, 7d, 30d
  • --reads — Maximum number of reads before the secret is burned
  • --no-delete — Secret is sealed when reads are exhausted but stays in the database. Can be updated via PATCH /secrets/:key and unsealed

get

Retrieve a secret value. Increments the read counter. Burns or seals the secret if the read limit is reached.

sirr get KEY

pull

Pull all secrets into a .env file on another machine.

sirr pull .env

run

Inject all secrets as environment variables and execute a command.

sirr run -- node app.js

list

List all active secrets. Metadata only — values are never shown.

sirr list

delete

Burn a secret immediately, regardless of TTL or read count.

sirr delete KEY

prune

Delete all expired secrets immediately.

sirr prune

share

Print a shareable reference URL for a secret.

sirr share KEY

rotate

Re-encrypt all records with a new master key. Offline operation — stop the server first.

sirr rotate

Requires SIRR_NEW_MASTER_KEY_FILE or SIRR_NEW_MASTER_KEY to be set.

Open source

The CLI is part of the Sirr Rust monorepo, licensed under BSL 1.1 (converts to Apache 2.0 in February 2028).

View on GitHub →